Apologies @ps but I don't actively use lein. I'll take a look at this today if I get some time. is there a way you can test just running lein repl with your credentials sourced from the project directory to see if we can eliminate the profile null error you are getting via your current method?
@jaret is there a way that the datomic api accepts access key and secret directly rather than through a profile?
this would also be helpful to deploy on something like heroku
You can certainly source credentials or create env vars. But I don't recommend that you hard code a solution here. As Joe and others have mentioned you can supply a creds-profile/creds-provider option in your client config map, but you have to have those things configured. Docs on credentials in AWS: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html. let me know the results of running
lein repl from your project and if you can load your project namespaces with credentials sourced.
Just a friendly mention that there's a broken link on "Log API" in this section https://docs.datomic.com/on-prem/best-practices.html#use-log-api1👍
should i expect any downtime while deploying to a query group with a single node, which is serving a handler via http-direct?
@joshkh Depends on if you set the max size of the QG to 1 vs the desired size.
desired size is 1, max size is 4*
Then I believe any disruption should be minimal, not sure about your application specifics. That being said, why not just change the QG to size 2+ during the deployment and shrink it back down after?
that's a possibility for sure. but before i script out the process in CI to spin up a second instance, wait for health checks, deploy and tear down, i'd like to confirm first that a small downtime is expected with a desired capacity 1, minimum query group instances 1, maximum query group instances 4, minimum number of query group instances during (CF) update 1.
i would have thought the 1/4 split would temporarily scale the group. you have a good point about application specifics, perhaps something is delaying a response past the health check.
You should test that scenario to see if it matches your needs and expectations. Have you done that already?
yeah 🙂 asking only because it's something i've been experiencing
Is there a recommended way to provide private access to a Datomic Cloud application without exposing it to the internet? I'm trying to figure out how to give access to a an application I have deployed via Datomic Ions in a Production topology Datomic Cloud VPC to other users in our private AWS network. The Datomic instructions for setting up API Gateway HTTP Direct will route traffic over the external internet, which I'd like to avoid.
Hi @esp1, we DO support this and have for quite some time. I'll make a quick playbook for how to do this and send it to you today or tomorrow. We will update our docs accordingly.
Great, thanks @lanejo01!
I do this by invoking the Ion Lambda using the AWS API. It was a bit tricky to get the request/response encoding right but, once done, it works great for internal Ion access
He’s talking about http-direct though which will have much higher performance, especially in the same vpc.
Let me know if you run into problems with that.
Thanks @lanejo01! This is helpful, but I am actually interested in getting users that are logged in to our corporate AWS cloud through VPN access to the Datomic VPC - so they would be accessing it from outside the Datomic VPC, but inside our corporate AWS network. The two options I was exploring were: • Setting up peering/routing to the Datomic VPC directly • Using a private API Gateway endpoint
I can go the peering/routing way, but that would involve making changes to the Datomic VPC, and I was concerned that if I needed to update Datomic VPC via the CF templates those changes might be lost.
The private API GW endpoint seemed like it would be a solution that could be managed independently from the Datomic CF stacks, but I haven't set up one of these before and have been struggling with how to craft an appropriate resource policy to make it work.
We should work together on this in a support case ^ but I would recommend an API GW.
Can you throw me an e-mail at <mailto:firstname.lastname@example.orgemail@example.com> and I will get together a recommended policy.
perhaps after I can add this to the docs.
Thanks @jaret, will do